Abstract

An important aspect of management is to ensure the security of both
the IT infrastructure and all the valuable information contained within the
organisation. Keeping, information safe and secure is a key necessity for
present day managers. The board of directors are ultimately accountable
for their organisation’s success. It is therefore imperative that its members
take responsibility for the protection of their company’s information. There
has been a lot of research undertaken on information security but very little has been carried out on information security governance. This paper
explores and critiques the literature on both information security and
information security governance. In order to investigate these areas
effectively, it is important to classify the different theories and to trace their
intellectual origins. This paper uses Burrell and Morgan’s four sociological
paradigms to explore the literature. These paradigms are functionalism,
interpretivism, radical humanism and radical structuralism. The paper
presents potential further research that may be carried out within all four
paradigms. It shows that the majority of information security and information
security governance research has been undertaken from the conventional
functionalist paradigm. In order to gain a wider and more creative
perspective it is recommended that more research should be carried out
on these two areas from the other three perspectives thereby placing an
emphasis on the human and organisational aspects.

Avgerou, C. and Madon, S. (2004), ‘Framing IS Studies: Understanding the Social Context of IS Innovation’ in The Social Study of Information and Communication Technology, eds. C. Avgerou, C. Ciborra and F. Land, Oxford University Press, Oxford.

IT Governance Institute (2004), “IT Control Objectives for Sarbanes-Oxley,” Accessed on 3rd March 2005 from http://www.isaca.org/Template.cfm?Section=Downloads5&CONTENTID=17090&TEMPLATE=/ContentManagement/ContentDisplay.cfm.

Orlikowski, W. J. and Barley, S. R. (2001), “Technology and Institutions: What can Research on Information Technology and Research on Organizations Learn from Each Other?” MIS Quarterly, 25 (2), 145-165.